<html>
<head><meta charset="utf-8"><title>Integration into crates.io · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html">Integration into crates.io</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="218107764"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218107764" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> FlyingRatBull <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218107764">(Nov 27 2020 at 16:13)</a>:</h4>
<p>I was curious and rand <code>cargo audit</code> on the top 100 crates on <a href="http://crates.io">crates.io</a> and had a low of warnings and also a vulnerability (already filed an issue). I was wondering if it would make sense to integrate an automatic check into the <a href="http://crates.io">crates.io</a> environment for automatically checking the top (all updated?) crates in the repository on a regular basis.</p>
<p>This would greatly increase the visibility of the advisory database which should in turn contribute to the amount of reported issues and bring the whole Rust ecosystem another step closer to be a secure one.</p>
<p>What are your thoughts on this? Are there any plans or decisions yet?</p>
<p>I would also gladly run an own server which checks the top 10,000 crates on a regular basis if an integration into <a href="http://crates.io">crates.io</a> is not wanted for any reason.</p>



<a name="218108370"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218108370" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> FlyingRatBull <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218108370">(Nov 27 2020 at 16:20)</a>:</h4>
<p>Almost forgot the most important part: (Semi-) automatically filing GitHub issues for the found vulnerabilities and the affected projects</p>



<a name="218111031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218111031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218111031">(Nov 27 2020 at 16:48)</a>:</h4>
<p><span class="user-mention silent" data-user-id="367841">FlyingRatBull</span> <a href="#narrow/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio/near/218108370">said</a>:</p>
<blockquote>
<p>Almost forgot the most important part: (Semi-) automatically filing GitHub issues for the found vulnerabilities and the affected projects</p>
</blockquote>
<p>There is <a href="https://github.com/actions-rs/audit-check">https://github.com/actions-rs/audit-check</a> which runs <code>cargo audit</code> either on PR's or using a specified schedule. In the first case, it simply shows a failed status. In the second case it will open a new issue when a vulnerable dependency is detected.</p>



<a name="218154278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218154278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> FlyingRatBull <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218154278">(Nov 28 2020 at 08:23)</a>:</h4>
<p>I'm not too familiar with GitHub actions, but it seems that they can only be configured for specific repositories (correct me if I'm wrong) which would require every Rust project to know about and integrate <code>cargo audit</code> on their own.</p>
<p>My goal would be to analyze projects (which I do not own, e.g. top 1000 crates on <a href="http://crates.io">crates.io</a>) in bulk and ideally submit issues accordingly. One could even hint about GitHub actions for auditing in the issue.<br>
This way the Rust ecosystem profits a lot more and the advisory database becomes a more integral part of it.</p>



<a name="218485179"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218485179" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218485179">(Dec 01 2020 at 21:36)</a>:</h4>
<p><span class="user-mention" data-user-id="367841">@FlyingRatBull</span> Sorry about the late reply, work was hectic lately. Yes, this sounds like a good idea! We even have much of the code written - <a href="https://gitlab.com/zachreizner/crates-audit/">https://gitlab.com/zachreizner/crates-audit/</a> resolves dependencies for all of <a href="http://crates.io">crates.io</a> and lists all the packages that have advisories and have no semver-compatible fixed version available. <br>
However, I'd say that mass issue creation for every advisory has to be reviewed separately since it's usually easier to get the package with the vuln to issue a semver-compatible point release than to get all downstream dependencies to upgrade.</p>



<a name="218485427"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Integration%20into%20crates.io/near/218485427" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Integration.20into.20crates.2Eio.html#218485427">(Dec 01 2020 at 21:38)</a>:</h4>
<p><span class="user-mention" data-user-id="367841">@FlyingRatBull</span> issues in Cargo.lock are usually not a concern because installation from <a href="http://crates.io">crates.io</a> always fetches latest versions ignoring Cargo.lock. There's also the issue of binary packages e.g. in github releases, but that's not covered until <a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> is uplifted into Cargo (help on this is very welcome btw, since I'm majorly distracted from this work)</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>